Remote Code Execution via UTF-8 extended characters
Writing UTF-8 characters doesn’t work properly on team chat and fireteam chat. Writing "żółć" for example can manipulate mouse (mouse moves ingame, uses scroll to change weapons, shoots the gun). Writing ó on the end game screen writes ×
actually and posts various strings into chat window.
#1 Updated by tomich over 2 years ago
I can confirm this issue with the following clients tested:
- Linux 32bit
- Linux 64 bits
If I type áúíàùì in team chat some red dots appear on chat but also my character fires the weapon and looks up.
I tested connecting to a ETL 2.75 i386 server running on Linux x86_64
#2 Updated by tomich over 2 years ago
- Category set to Client
- Priority changed from Normal to Urgent
User jakbu also found out this, that would make this a high priority bug and turn this into an exploit.
When you type óóóó in team chat, all your non bot teamates are affected in movement.
- They all fire their weapons. (confirmed by me also)
- They all look at the sky. (confirmed by me also)
- They cannot run (not confirmed by me yet)
The obvious: This would mean that by typing in chat, you can affect your teammates (non bot) movement and would make this bug an exploit.
I only tested this addendum on a Linux 64 bit client with another linux 64 bit client. Didn’t have time to test on Windows, Mac or 32bit Linux but I assume this affects all platforms. Jakbu tested on Windows.
Also. In this bug system, you should add an option "All platforms" to the OS section.
#8 Updated by tomich over 2 years ago
- Subject changed from UTF-8 characters to Remote Code Execution via UTF-8 extended characters
- Priority changed from Normal to Immediate
I think IR4T4 did not understand this issue. Please change Status to active.
I changed the subject to reflect the criticality.
IR4T4 , let me be clear with this issue:
By inputing characters in global chat/team chat or console, you can make ALL the other players move, shoot and do things.
If someone were to make a one line script that connects to every ETL public server, it would ruin every public game.
This started as an issue with characters not being displayed, but is clearly now an exploit and should be taken seriously.